Skip to content

Fix TSA #2816218: suppress Flawfinder false positive on Cython read-loop iterator (pydevd_frame_evaluator.c)#2030

Merged
StellaHuang95 merged 1 commit into
microsoft:mainfrom
StellaHuang95:stellahuang/tsa-2816218-flawfinder-cython-read-loop
May 28, 2026
Merged

Fix TSA #2816218: suppress Flawfinder false positive on Cython read-loop iterator (pydevd_frame_evaluator.c)#2030
StellaHuang95 merged 1 commit into
microsoft:mainfrom
StellaHuang95:stellahuang/tsa-2816218-flawfinder-cython-read-loop

Conversation

@StellaHuang95
Copy link
Copy Markdown
Contributor

@StellaHuang95 StellaHuang95 commented May 28, 2026

Issue

Internal Flawfinder compliance scan flagged a for loop containing the identifier read in the Cython-generated pydevd_frame_evaluator.c.

  • Work item: TSA #2816218
  • Rule: FlawFinder/buffer/read"Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20)"
  • File: src/debugpy/_vendored/pydevd/_pydevd_frame_eval/pydevd_frame_evaluator.c
  • Line: 25728
  • AB#2816218

What Flawfinder reported

__Pyx_InterpreterIdAndModule *read  = data->table;
__Pyx_InterpreterIdAndModule *write = data->table;
__Pyx_InterpreterIdAndModule *end   = read + data->count;
for (; read<end; ++read) {                  // ← flagged
    if (read->module) {
        write->id     = read->id;
        write->module = read->module;
        ++write;
    }
}

This is the Cython 3.x runtime boilerplate function __Pyx_State_ConvertFromInterpIdAsIndex (per-interpreter module-state compaction). The same function is emitted into every Cython-generated .c file.

Why this is a false positive

Flawfinder's buffer/read rule fires whenever the identifier read appears inside a loop, on the assumption it refers to the POSIX read() syscall (which can return fewer bytes than requested). Here read is a variable name — specifically a pointer iterator walking data->table — not a syscall.

The loop is provably bounded:

  • end = read + data->count defines the upper bound.
  • The loop condition read < end guarantees read never advances past the last valid slot.
  • write only advances on successful copies and always trails read, so write <= read <= end is invariant.

Fix

  1. Add /* Flawfinder: ignore */ to the flagged line. This is the documented Flawfinder suppression token (see flawfinder --help).
  2. Add a corresponding c_file_contents.replace(...) to the existing post-processing block in setup_pydevd_cython.py so the suppression is automatically re-applied if Cython is re-run to regenerate the .c file.

The annotation is a C block comment — equivalent to whitespace at the lexer level, with zero effect on compiled output or runtime behavior.

Verification

Ran Flawfinder 2.0.20 locally against the modified file:

Run Hits at line 25728
Default 0
flawfinder --neverignore (suppressions disabled) 2 (the originally reported warning reappears — one hit per read token on that line)

The originally flagged warning is silenced, and the positive control with --neverignore confirms the suppression is what's silencing it.

Risk

Zero behavioral change. The .c file edit is a comment; the setup_pydevd_cython.py edit is a str.replace() that is a no-op if the matched text is absent (so it's safe even if Cython upstream changes its output).

Related

The same Cython boilerplate appears in two sibling generated files and is tracked separately:

  • TSA #2816219 → _pydevd_sys_monitoring_cython.c
  • TSA #2816220 → pydevd_cython.c

Each is fixed in its own PR.

@StellaHuang95
Fix TSA #2816218: suppress Flawfinder false positive on Cython read-l…
ab5c9a2 
…oop iterator

Flawfinder's buffer/read rule (CWE-120, CWE-20) fires whenever an
identifier named "read" appears inside a loop, assuming it refers to the
POSIX read() syscall. The Cython 3.x ModuleStateLookup boilerplate in
__Pyx_State_ConvertFromInterpIdAsIndex uses "read" as the name of a
pointer iterator that walks data->table, bounded by
end = read + data->count. There is no syscall and no unbounded buffer
access -- this is a false positive.

Add an inline /* Flawfinder: ignore */ annotation to the flagged line in
the Cython-generated pydevd_frame_evaluator.c and extend the existing
post-processing block in setup_pydevd_cython.py so the annotation is
re-applied automatically whenever Cython regenerates the .c files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@StellaHuang95 StellaHuang95 requested a review from a team as a code owner May 28, 2026 21:25
rchiodo
rchiodo approved these changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rchiodo rchiodo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved via Review Center.

@StellaHuang95 StellaHuang95 merged commit 4c70e13 into microsoft:main May 28, 2026
25 of 27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rchiodo rchiodo rchiodo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@StellaHuang95 @rchiodo